It was my pleasure to make and appearance on the Network Security Podcast with Martin McKeay and Rich Mogull. We had some interesting conversations about SQL Injection, how we got started in computer security, thoughts on the CISSP certification, PCI and its usefullness, and general security banter.

For those that may not know, Rich is a former analyst for a very large analyst firm, and Martin works in the security industry for a company specializing in PCI.

You can download the Network Security Podcast episode 103 here.

I wanted to thank everyone for attending yesterday's Shore Patrol meeting. We had a fun-filled afternoon of security related presentations and discussion. I wanted to post the slides for each presentation for reference:

• "Attack Trends - What the bad guys are up to" - Paul Asadoorian, OSHEAN, Inc.
• "Metadata - The Silent Killer" - Larry Pesce, Care New England
• "Periscope - The New IPAudit" - Tyler Whittaker, OSHEAN, Inc. (Coming Soon)
• "Benefits of Statewide Intrusion Detection" - Dave Batastini, URI

If all goes well we should be able to post the audio, video, and slides such that they can be watched together. Stay tuned!

Paul

Recently I taught a 2-day hacking course here at OSHEAN titled "Cutting-Edge Hacking Techniques", writen by Ed Skoudis, and offered by The SANS Institute. The students learned a lot, and as always when I teach, so did I. I summarized my thoughts and experiences on a guest blog posting I wrote for my friends over at GNUCITIZEN:

 
Read the full posting here.

Enjoy!

Cheers,

Paul

With the abundance of IM (Instant Messaging) services available on the Internet its easy to start using a service because you already have an account. For example, MSN, Yahoo!, and Aol all have chat protocols that you can use to talk to your coworkers, friends, and family. However, In the default configurations chat communications are not secure because:

• They do not use encryption - Most protocols, by default, do not encrypt the username and password, nor do they encrypt the data in transit. This means that anyone with a network sniffer, especially on a wireless network, can intercept your logon credentials and chat communications.
• There is no identity assurance - Who is to say that you are really talking to your friend "Bob" via instant messaging? How do you know if the latest request to add a user to your contacts list is really that user? I always ask for additional authentication when adding users to my contact list, such as a PGP signed email, because the protocols do not include anything of this nature by default.
• Your data goes through 3rd party servers - When you use online chat services your information, such as all of your chat communications, goes through several servers located on the Internet. If one of these servers were to become compromised in any way, your chat communications could become public.

• Jabber is encrypted - All Jabber communications are encrypted from the client to the server hosted at OSHEAN.
• User verification - OSHEAN staff verifies each user added to the Jabber server.
• Your data never leaves the OSHEAN network - By using a local Jabber server you chat communications never go through 3rd party servers when chatting with OSHEAN members who have accounts on our server. To get an OSHEAN Jabber account please email tech /at/ oshean.org.

We also recommend that in addition to using Jabber as your communications protocol that you also use OTR (Off-The-Record) which will encrypt your chat sessions using public/private key encryption technology. This further protects you from data snooping, and provides assurance that you are really talking to "bob".

The Internet2 Presence and Integrated Communications Working Group Promotes Jabber for many of these very same reasons and are using it to promote communications. You can sign up for a demo of what the PIC group has been working on which uses the Jabber technology.

Social networks have become a very popular usage of so-called "Web 2.0" technology. Web sites, such as Facebook and LinkedIn, have begun to move towards targeting working professionals, in addition to the traditional younger college and/or high school crowd. Myself, and others, have been doing extensive research into the security (and insecurity) present in social networking web sites. You may now be wondering, "Just how have you been doing your research?". Well, we decided to register ourselves on several social networking web sites to see just how they work, and just how ourselves and others could break them and abuse the security present in these web sites. What we've found has been very interesting, and useful for providing the community with information about the risks, and tips to protect themselves:

The “Evil Twin” attack was an experiment we performed, and turned out to be wildly successful. We registered a Facebook account as someone else, using an email address we controlled, pictures we downloaded from the Internet, and information we gathered from various publicly available sources. Our attack was very successful, several people believed that the person we faked was real and started to add them as a friend. The best defense here is to register yourself on social networking web sites to prevent others from doing so. We did a segment about this which you can read about and listen to here.

If you use social networking sites regularly you might say, “only people in my network can see my information or my pictures”. This may be true, however XSS vulnerabilities have exposed that information. For example, millions of pictures marked “private” on the popular social network site MySpace, and subsequently Facebook, were suddenly public due to a vulnerability. Once something is “public” on the Internet, there is no going back, its archived in cyberspace forever. Even without vulnerabilities there are groups on sites such as Facebook, and to a certain extent LinkedIn, that automatically allow others in your group to see your profile. For example, I was placed in the group “Providence, RI”, a group anyone can join, and now thousands of people can see my profile. You should always treat information on the Internet as public, whether marked "private" or not.

Recently there has been an unknown exploit of Facebook that is hijacking people’s Facebook accounts and putting up grotesque images, a social network “Rick Roll” attack with a bizarre twist. Reportedly there was a vulnerability in Facebook that allowed this to happen. However, recently I got the following email:

Looking at the link highlighted in red closely you see that it does not go to Facebook at all, but to some other site, which looks exactly like the Facebook login page, but really is an attacker collecting your username and password. Why would someone launch a phishing attack against Facebook? I'm still not certain why this information is so valuable that it is being targeted by attackers? If nothing else it proves that social networking sites are not only more popular, but represent an area that potentially could be profitable for attackers - as soon as I figure out how, I will let you know :).

Social networks are all about sharing information, however they’re a great way to distribute attacks. Attackers are not looking to use social networks to distribute links to a trusted audience, not just for fun, but profit! Use extreme caution when using social networks and try to think how attackers could use this information and technology against you.